The Pension Boards—United Church of Christ, Inc. (“Pension Boards”) is the Plan sponsor of the UCC Medical and Dental Benefits Plan (“Plan”). The Plan is providing you with the enclosed Notice of Privacy Practices as required by law. If you received this Notice electronically, you are entitled to a paper copy of this Notice.
The Notice describes how medical information about you may be used and disclosed by the Plan and how you can get access to your information. Please review it carefully. If you have any questions about this notice, please contact the person listed in the “Questions and Complaints” section below.
The Plan may use, share, or disclose the personal health information it creates, receives, maintains, or transmits about you (called your “protected health information” or “PHI”) to pay health care benefits, operate the Plan for treatment by a health care provider, and for other purposes that are permitted or required by law. In addition, the Plan may use or disclose your information in other special circumstances described in the enclosed Notice. For any other purpose, the Plan will require your written authorization for the use or disclosure of your PHI.
You have the right to inspect and copy certain of your protected health information, request an amendment of the information, request restrictions on the use and disclosure of the information, request that communications be made to you through alternative means or at an alternative location, and obtain an accounting of the information that the Plan has disclosed for reasons other than treatment, payment, health care operations, required or authorized disclosures. There are certain limitations on these rights as explained in the Notice.
You may contact the following person for more information about the Plan’s privacy practices, to exercise your rights or to complain about how the Plan is handling your protected health information:
General Counsel and Corporate Secretary
The Pension Boards-United Church of Christ, Inc.
475 Riverside Drive
New York, NY 10115
The Pension Boards-United Church of Christ, Inc. (“Pension Boards”) sponsors group health plans (the “Plans”) that are subject to the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). These plans include:
To the extent you are enrolled in any insured arrangement or any insured option under a Plan, you may receive a separate privacy notice from your insured plan or option. That notice will apply to the insurer’s privacy practices. This Notice generally describes the Pension Boards’ privacy practices with respect to the Plans.
The privacy of your personal health information that is received, created, maintained, used, transmitted, or disclosed by the Plans is protected by HIPAA. The Plans are required by law to:
PHI is health information created, received, maintained or transmitted by a Plan that identifies (or may be used to identify) an individual. The information may appear on paper or in any other form. It does not include employment records held by the Pension Boards in its role as employer.
The Plans must:
The Plans, and the individuals who administer them, may use, receive, or disclose your PHI for treatment, payment or health care operations without obtaining a written authorization from you.
These activities cover a broad range of functions, including:
Additionally, we may share medical information with another entity to assist with the adjudication or subrogation of health claims, or with another health plan to coordinate benefit payments.
If applicable to your circumstances, and to the extent provided now or in the future, the Plans may use and disclose your PHI to provide you with appointment (or treatment) reminders, information about treatment alternatives or information about other health- related benefits and services that may be relevant to your situation.
The Plans contract with other businesses and individuals for certain plan administrative services. Each of these “business associates” may create, receive, maintain, and transmit your health information for purposes of performing services for or on behalf of the Plans as long as the business associate agrees in writing to protect the privacy of your information and meet certain other specified requirements.
Certain business associates may also use and disclose PHI for their own management, administration and legal responsibilities (and for purposes of aggregating data with data obtained from other clients for evaluation of Plan design issues and other appropriate Plan purposes). Business associates maintain most of the PHI under the Plans and conduct most of the activities that involve PHI.
Under certain terms and conditions, the Plans (and the organizations offering benefits under the Plans) may disclose PHI to the Pension Boards, as the Plan sponsor. Ordinarily these disclosures are limited to enrollment information and information necessary for administration of the Plans.
A Plan may disclose PHI to other health plans, health care providers, and health care clearinghouses (which translate electronic health information from one format to another) for purposes of their own provision of treatment, payment, or certain health care operation services (such as quality assurance, case management, care coordination, licensing, credentialing and the detection of fraud and abuse). Where the disclosure is to another
Plan covered by this Notice, disclosure is permitted for additional services related to that Plan’s operations (such as enrollment, auditing, legal services, business planning and development, management and administrative activities, and customer service).
In all situations, the Plans will limit PHI use, disclosure, or request to the minimum necessary to accomplish the intended purpose.
Pursuant to changes to HIPAA required by the Health Information Technology for Economic and Clinical Health Act of 2009 and its implementing regulations (collectively, “HITECH Act”) under the American Recovery and Reinvestment Act of 2009 (“ARRA”), this Notice also reflects federal breach notification requirements imposed on the Plans in the event that your “unsecured” protected health information (as defined under the HITECH Act) is acquired by an unauthorized party.
We understand that medical information about you and your health is personal, and we are committed to protecting your medical information. Furthermore, we will notify you following the discovery of any “breach” of your unsecured protected health information as defined in the HITECH Act (the “Notice of Breach”). Your Notice of Breach will be in writing and provided via first-class mail, or alternatively, by email if you have previously agreed to receive such notices electronically. If the breach involves:
Your Notice of Breach shall be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and shall include, to the extent possible:
Additionally, for any substitute Notice of Breach provided via web posting or major print or broadcast media, the Notice of Breach shall include a toll-free number for you to contact us to determine if your protected health information was involved in the breach.
The Plans are also permitted to use or disclose your PHI, without obtaining a written authorization from you, in the following circumstances:
If items 4 and 5 do not apply, the Plans may not use or disclose your PHI unless you authorize the use or disclosure in writing. As a result, uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI will be made only with your express written authorization. Please note that the Plans do not use your PHI for marketing or fundraising purposes. However, if the data that identifies you in the PHI is appropriately removed, this non-identifiable information may then be used or disclosed without your authorization.
Please remember, if you have questions or a problem relating to a claim, a network provider or other matter pertaining to a particular benefit option, you will typically be directed to an appropriate contact person with the relevant business associate or other vendor to resolve the matter. If it is necessary for the Pension Boards to assist you directly in resolving the issue, you will usually be required to complete an authorization form.
Also keep in mind that your family members will not automatically be provided with access to your PHI on their request. However, on request, the Plan will provide your PHI to any family member or other person who demonstrates that he or she is your personal representative or whom you appropriately authorize to have access to your PHI. In addition, Explanations of Benefits (“EOBs”) and other claim denials will continue to be sent to the employee or former employee who enrolls in a Plan.
You will need to complete a prescribed written authorization form. An authorization form is available on the Pension Boards’ website (www.pbucc.org) or by calling Member Services toll-free at 1.800.642.6543. you may revoke your authorization, in writing, at any time, and the revocation will be followed to the extent action on the authorization has not yet been taken.
The privacy laws of a particular state or other federal laws might impose a more stringent privacy standard. If these more stringent laws apply and are not superseded by federal preemption rules, the Plans will comply with the more stringent law.
No, the Plans are prohibited from using or disclosing PHI that is genetic information for underwriting purposes.
You have the right to:
Notwithstanding the foregoing, you may request an accounting of disclosures of any “electronic health record” (that is, an electronic record of health-related information about you that is created, gathered, managed, and consulted by authorized health care clinicians and staff). To do so, however, you must submit your request and state a time period, which may be no longer than three years prior to the date on which the accounting is requested. In the case of any electronic heath record created on your behalf on or before January 1, 2009, this paragraph shall apply to disclosures made on or after January 1, 2014. In the case of any electronic health record created on your behalf after January 1, 2009, this paragraph shall apply to disclosures made on or after the later of January 1, 2011, or the date we acquired the electronic health record.
Certain administrative rules may apply to these individual rights. For example, you may be required to submit a request in writing or on a prescribed form, and you may be charged the cost of copying and postage. Your right to make a request does not necessarily mean that your request will be approved. Where a response to your request is appropriate, it will ordinarily be provided to you in writing.
To exercise your individual rights with respect to information held by the Plan administrator, you should write the Information Contact identified in item 11. We will not ask you the reason for any of these requests. We will accommodate all reasonable requests and your request should specify how or where you wish to be contacted.
Because most of your PHI under the Plans, particularly claims information, is held by your claims administrator, it will often make sense for you to contact that entity directly to obtain access to, amend, or receive an accounting of disclosures of your PHI.
You may file a complaint with the Plans’ Information Contact, identified below (see item 11), and with the Secretary of the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. Their contact information is available below. All complaints must be filed in writing. Federal law prohibits retaliation against any employee for filing a complaint.
If you have any questions about this Notice or a complaint relating to how your PHI is handled, please contact the Information Contact:
General Counsel and Corporate Secretary
The Pension Boards-United Church of Christ, Inc.
475 Riverside Drive
New York, NY 10115
To contact the Secretary of the U.S. Department of Health and Human Services, you may write to the regional office of the U.S. Department of Health and Human Services.
The effective date of this version of the Notice is August 1, 2022.
Each Plan reserves the right to change the terms of this Notice with respect to its privacy and information practices and to make the new provisions effective for all PHI it maintains, consistent with legal requirements. You will be informed of any material revisions to this Notice.